From 53a1d02fed30298a20acceb0b86f7598d431a249 Mon Sep 17 00:00:00 2001
From: Noah Yoshida <noahcy117@gmail.com>
Date: Wed, 18 Sep 2024 04:11:18 -0700
Subject: [PATCH 1/2] add topology spread constraints to interceptor (#684)

Signed-off-by: Noah Yoshida <noahcy117@gmail.com>
---
 http-add-on/README.md                             | 6 +++++-
 http-add-on/templates/interceptor/deployment.yaml | 4 ++++
 http-add-on/values.yaml                           | 2 ++
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/http-add-on/README.md b/http-add-on/README.md
index 5b64899c..decf68a1 100644
--- a/http-add-on/README.md
+++ b/http-add-on/README.md
@@ -133,7 +133,7 @@ their default values.
 | `scaler.nodeSelector` | object | `{}` | Node selector for pod scheduling ([docs](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/)) |
 | `scaler.pendingRequestsInterceptor` | int | `200` | The number of "target requests" that the external scaler will report to KEDA for the interceptor's scaling metrics. See the [KEDA external scaler documentation](https://keda.sh/docs/2.4/concepts/external-scalers/) for details on target requests. |
 | `scaler.pullPolicy` | string | `"Always"` | The image pull policy for the scaler component |
-| `scaler.replicas` | int | `3` | Number of replicas  |
+| `scaler.replicas` | int | `3` | Number of replicas |
 | `scaler.resources.limits.cpu` | float | `0.5` |  |
 | `scaler.resources.limits.memory` | string | `"64Mi"` |  |
 | `scaler.resources.requests.cpu` | string | `"250m"` |  |
@@ -157,6 +157,9 @@ their default values.
 | `interceptor.keepAlive` | string | `"1s"` | The interceptor's connection keep alive timeout |
 | `interceptor.maxIdleConns` | int | `100` | The maximum number of idle connections allowed in the interceptor's in-memory connection pool. Set to 0 to indicate no limit |
 | `interceptor.nodeSelector` | object | `{}` | Node selector for pod scheduling ([docs](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/)) |
+| `interceptor.pdb.enabled` | bool | `true` | Whether to install the `PodDisruptionBudget` for the interceptor |
+| `interceptor.pdb.maxUnavailable` | int | `1` | The maximum number of replicas that can be unavailable for the interceptor |
+| `interceptor.pdb.minAvailable` | int | `0` | The minimum number of replicas that should be available for the interceptor |
 | `interceptor.proxy.port` | int | `8080` | The port on which the interceptor's proxy service will listen for live HTTP traffic |
 | `interceptor.proxy.service` | string | `"interceptor-proxy"` | The name of the Kubernetes `Service` for the interceptor's proxy service. This is the service that accepts live HTTP traffic. |
 | `interceptor.pullPolicy` | string | `"Always"` | The image pull policy for the interceptor component |
@@ -175,6 +178,7 @@ their default values.
 | `interceptor.tls.port` | int | `8443` | Port that the interceptor proxy TLS server should be started on |
 | `interceptor.tlsHandshakeTimeout` | string | `"10s"` | The maximum amount of time the interceptor will wait for a TLS handshake. Set to zero to indicate no timeout. |
 | `interceptor.tolerations` | list | `[]` | Tolerations for pod scheduling ([docs](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)) |
+| `interceptor.topologySpreadConstraints` | list | `[]` | Topology spread constraints ([docs](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/)) |
 
 Specify each parameter using the `--set key=value[,key=value]` argument to
 `helm install`. For example:
diff --git a/http-add-on/templates/interceptor/deployment.yaml b/http-add-on/templates/interceptor/deployment.yaml
index 4d450f40..5c83b641 100644
--- a/http-add-on/templates/interceptor/deployment.yaml
+++ b/http-add-on/templates/interceptor/deployment.yaml
@@ -122,3 +122,7 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.interceptor.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
diff --git a/http-add-on/values.yaml b/http-add-on/values.yaml
index 25f76533..0436af27 100644
--- a/http-add-on/values.yaml
+++ b/http-add-on/values.yaml
@@ -170,6 +170,8 @@ interceptor:
   tolerations: []
   # -- Affinity for pod scheduling ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/))
   affinity: {}
+  # -- Topology spread constraints ([docs](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/))
+  topologySpreadConstraints: []
   # interceptor pod resource limits
   resources:
     # -- The CPU/memory resource limit for the operator component

From 714d29f258558f8b5de3a9ab9ce82631b74248f0 Mon Sep 17 00:00:00 2001
From: Jan Wozniak <wozniak.jan@gmail.com>
Date: Mon, 23 Sep 2024 16:49:51 +0200
Subject: [PATCH 2/2] Add Secret GET to keda-operator minimal RBAC (#689)

Signed-off-by: Jan Wozniak <wozniak.jan@gmail.com>
---
 keda/templates/manager/minimal-rbac.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/keda/templates/manager/minimal-rbac.yaml b/keda/templates/manager/minimal-rbac.yaml
index 1b5a0ca4..4ff03526 100644
--- a/keda/templates/manager/minimal-rbac.yaml
+++ b/keda/templates/manager/minimal-rbac.yaml
@@ -35,6 +35,7 @@ rules:
   - create
   - update
 {{- if .Values.permissions.operator.restrict.secret }}
+  - get
   - list
   - watch
 {{- end }}